★ Default bytes32(0) acceptable as valid root

Cap (cUSD / stcUSD)'s assessment for RD-F-154 — scored not_applicable on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Cap uses LayerZero v2 OFT, which uses a DVN attestation model rather than Merkle root-based message validation. The Nomad-class bytes32(0) default-root vulnerability (acceptance of uninitialized Merkle root = accept any message, $190M) does not apply to LayerZero v2 architecture which has no Merkle root acceptance path.

Sources #

GitHub
OFTLockboxUpgradeable.sol — LZ v2, no Merkle root; Nomad pattern N/AOFTLockboxUpgradeable.sol: OFTAdapterUpgradeable from @layerzerolabs/oft-evm-upgradeable (v2); no Merkle root acceptance in LZ v2 architectureretrieved 2026-05-17

Methodology #

Determine whether the bridge inbox accepts a default-value (bytes32(0)) Merkle root as a valid proof root (Nomad bug class).

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol cap factor RD-F-154 score not_applicable collected_at 2026-05-17 10:56:24